We recommend you fix this vulnerability

We regularly conduct private security audits of our software. Unlike most times, in March 2022 we’ve discovered a security issue that m...

We regularly conduct private security audits of our software. Unlike most times, in March 2022 we’ve discovered a security issue that might affect you.

Severity

It’s a “moderate” vulnerability… but being an admin panel, we take this seriously. It’s difficult… but an attacker could conduct a targeted phishing campaign, in order to trick your users or admins to click a malicious link, which under very specific circumstances could give them information... or even admin access. It’s unlikely, but that’s not good enough in admin panels - we should make it impossible. That’s why we’re bothering you with this.

If you haven't already fixed this, we recommend fixing it now. It takes one minute.

How to Fix

If you don’t have custom error views, the views provided by Backpack will output the exception message without escaping it, which makes an attack possible using Reflected XSS, in some very specific circumstances (that we will not disclose). To fix those error views in Backpack 4.x and 5.x, please run:

composer update backpack/crud
php artisan backpack:fix

Alternatively (if you don’t want to run composer update), you can manually look inside your error views in “resources/views/errors” and output e($exception->getMessage()) instead of $exception->getMessage(). That’s all there is to the fix, really.

Of course, new installations do not have this vulnerability.

What We’re Doing About This

We’ve acted as soon as our team found it (last week of March 2022):

• We’ve pushed patches to 5.x, 4.1 and 4.0;
• We’ve made it easy to apply the fix to existing projects, using a new php artisan backpack:fix command;
• We’ve kept the specific circumstances a secret; as far as we know, only our team knows about the niche case where this exploit is possible;
• We’ve emailed all our licensed users, to have a chance to fix their projects before it’s public;
• We've sent an email blast to our 25.000+ strong Security Newsletter;
• We've made this public with a blog post (this is it) and a CVE, after our community has had a reasonable chance to fix their projects;
• We will continue to monitor this and remind paying users to apply this fix if they haven’t;

We’re writing this blog post to admit our fault, tell you we fixed it and show you we’ve got your back. We’re regularly conducting these security audits, to double-check and triple-check our software. Thanks to them, we discovered this ourselves, before anybody else.

Again, we’re sorry this has slipped through. We hope this shows that even if we make mistakes, we own them, repair them and tell you about them. Thank you for your trust.

Please do the fix above, it’s super-easy. Cheers!